2024-02-28 13:38:03

by Andrey Skvortsov

[permalink] [raw]
Subject: Re: [PATCH] crypto: rk3288 - Fix use after free in unprepare

On 24-02-28 17:13, Herbert Xu wrote:
> The unprepare call must be carried out before the finalize call
> as the latter can free the request.
>
> Fixes: c66c17a0f69b ("crypto: rk3288 - Remove prepare/unprepare request")
> Reported-by: Andrey Skvortsov <[email protected]>
> Cc: <[email protected]>
> Signed-off-by: Herbert Xu <[email protected]>
>
> diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> index 1b13b4aa16ec..a235e6c300f1 100644
> --- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> +++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
> @@ -332,12 +332,12 @@ static int rk_hash_run(struct crypto_engine *engine, void *breq)
> theend:
> pm_runtime_put_autosuspend(rkc->dev);
>
> + rk_hash_unprepare(engine, breq);
> +
> local_bh_disable();
> crypto_finalize_hash_request(engine, breq, err);
> local_bh_enable();
>
> - rk_hash_unprepare(engine, breq);
> -
> return 0;
> }
>
Thanks, that was quick. I had locally the same change.

Reviewed-by: Andrey Skvortsov <[email protected]>

--
Best regards,
Andrey Skvortsov